> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tolmo.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure the Tolmo CLI with Environment Variables

> Configure the Tolmo CLI for CI/CD with environment variables. Set TOLMO_API_TOKEN and TOLMO_ORG_SLUG to authenticate without interactive login.

The Tolmo CLI reads configuration from environment variables, making it easy to use in CI/CD pipelines and scripts without interactive login. Environment variable values take precedence over profile settings for the variables they cover — the rest of the configuration (such as the active organization) still comes from the profile unless you also set the corresponding variable.

## Variable reference

<ParamField path="TOLMO_API_TOKEN" type="string">
  API token used to authenticate requests. When set, Tolmo skips the profile lookup entirely and authenticates directly with this token. Generate a token from your organization settings in the Tolmo dashboard.
</ParamField>

<ParamField path="TOLMO_ORG_SLUG" type="string">
  Organization slug that identifies which organization to operate against. Required whenever you set `TOLMO_API_TOKEN`, since the token alone does not encode an org identity.
</ParamField>

<ParamField path="TOLMO_API_URL" type="string">
  Backend API base URL. Defaults to the production endpoint when not set. Override this to point the CLI at a staging or self-hosted environment.
</ParamField>

<ParamField path="TOLMO_INSTALL_DIR" type="string">
  Directory where the install script places the CLI binary. Set this before running `curl -fsSL https://tolmo.com/install.sh | sh` to control the installation target. The install script defaults to a writable user directory so that `sudo` is not required.
</ParamField>

<ParamField path="TOLMO_PROFILE" type="string">
  Default profile name used when `--profile` is not specified on the command line. Useful for switching the active profile for an entire shell session without passing `--profile` to every command.
</ParamField>

## CI/CD example

The following GitHub Actions workflow installs Tolmo and runs a security query using environment variables for authentication. No interactive login is needed and no credentials are stored on disk.

```yaml .github/workflows/tolmo.yml theme={null}
jobs:
  security-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install Tolmo
        run: curl -fsSL https://tolmo.com/install.sh | sh
      - name: Run security query
        env:
          TOLMO_API_TOKEN: ${{ secrets.TOLMO_API_TOKEN }}
          TOLMO_ORG_SLUG: ${{ secrets.TOLMO_ORG_SLUG }}
        run: |
          tolmo findings list --status open --severity critical --json
```

Store `TOLMO_API_TOKEN` and `TOLMO_ORG_SLUG` as [encrypted secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) in your GitHub repository or organization settings. The `env:` block injects them into the step at runtime without exposing them in logs.

<Warning>
  Never commit API tokens to source control. Use your CI provider's secrets management to store `TOLMO_API_TOKEN`. Anyone with access to a committed token can authenticate as your organization.
</Warning>

## Precedence

Environment variables override the active profile for the specific settings they cover. For example, setting `TOLMO_API_TOKEN` and `TOLMO_ORG_SLUG` bypasses profile-based authentication entirely, but any setting not covered by an environment variable — such as a custom API URL — still comes from the profile unless you also set `TOLMO_API_URL`.

The resolution order for each setting is:

1. **Environment variable** — highest priority, always wins when set
2. **Command-line flag** — for flags like `--org` and `--profile`
3. **Active profile** — values stored in `~/.tolmo/` by `tolmo auth login`
4. **Built-in default** — the production API URL and the `default` profile name
